vt_ioctl: fix potential spectre v1 in VT_DISALLOCATE

In VT_ACTIVATE an almost identical code path has been patched with array_index_nospec. In the VT_DISALLOCATE path, the arg is the user input from a system call argument and lately used as a index for vc_cons[index].d access, which can be reached through path like vt_disallocate->vc_busy or vt_disallocate->vc_deallocate. For consistency both code paths should have the same mitigations applied. Also, the code style is adjusted as suggested by Jiri. Reviewed-by: Jiri Slaby <jirislaby@kernel.org> Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com> Link: https://lore.kernel.org/r/20220314122921.31223-1-xiam0nd.tong@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-03-14 20:29:21 +08:00 · 2022-03-14 20:29:21 +08:00 · b31c41339f
parent f58c252e30
commit b31c41339f
1 changed files with 6 additions and 4 deletions
--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@ -898,11 +898,13 @@ int vt_ioctl(struct tty_struct *tty,
 		if (arg > MAX_NR_CONSOLES)
 			return -ENXIO;

-		if (arg == 0)
+		if (arg == 0) {
 			vt_disallocate_all();
-		else
-			return vt_disallocate(--arg);
-		break;
+			break;
+		}
+
+		arg = array_index_nospec(arg - 1, MAX_NR_CONSOLES);
+		return vt_disallocate(arg);

 	case VT_RESIZE:
 	{